Full Lifecycle Threat Management by Integrating DFLabs SOAR with McAfee ePO

Posted byJohn Moran - 02nd Aug 2018
Full Lifecycle Threat Management by Integrating DFLabs SOAR with McAfee ePO blog post image

The escalation in the cyber threat environment, a growing attack surface, increased regulatory cyber security requirements and a shortfall in skilled cyber security professionals have converged to create a nexus of forces that is challenging enterprises to manage their threat management and their overall security posture to succeed in business in the 21st century. Machine learning and security automation are key critical capabilities to surmount these challenges and will enable organizations to thrive amidst adversity.

Security operations teams struggle to gain visibility of threats and rapidly respond to incidents due to the sheer number of different security technologies they must maintain and manage and the resulting flood of cyber alerts. Challenges they face include but are not limited to:

  • How can I aggregate and correlate disparate security sources to increase my visibility of threats and effectively investigate alerts and incidents?
  • How can I prioritize my response to security incidents at volume and at scale across a growing attack surface?
  • How can I rapidly respond to security incidents with limited resources to contain the damage and limit legal exposure?
DFLabs and McAfee are key partners in delivering full lifecycle threat management.

McAfee ePolicy Orchestrator (McAfee ePO) is the most advanced, extensible, and scalable centralized security management software in the industry. Unifying security management through an open platform, McAfee ePO makes risk and compliance management simpler and more successful for organizations of all sizes. As the foundation of McAfee Security Management Platform, McAfee ePO enables customers to connect industry-leading security solutions to their enterprise infrastructure to increase visibility, gain efficiencies, and strengthen protection.

Aggregating these alerts into a single pane of glass to prioritize what is critical and needs immediate attention, requires a platform that can consolidate disparate technologies and alerts, and provides a cohesive and comprehensive capability set to orchestrate incident response efforts.

By integrating with McAfee ePO, DFLabs IncMan SOAR platform extends these capabilities to McAfee customers, enabling them to execute full lifecycle incident response management.

DFLabs IncMan R3 Rapid Response Runbooks automate and orchestrate end to end threat containment by integrating with McAfee ePO. Security Operations teams can enrich security incidents with asset context and quarantine compromised systems based conditional and logical decision paths that can be fully and semi-automated, acting as a force multiplier, reducing the time from threat discovery to containment, and increasing operational efficiency. DFLabs’ machine learning driven Automated Responder Knowledge guides security analysts in identifying the most effective course of action using McAfee ePO.

DFLabs SOAR and McAfee ePO Use Case in Action

An alert based on a malicious file detected by AV has automatically generated an Incident within IncMan. This alert is automatically categorized as a Malware incident within IncMan based on the organizations’ policies, which initiates the organization’s Malware Alert runbook, shown below.

threat management incman_1

 

IncMan automatically queries the hash value provided by the organization’s AV solution against VirusTotal. If VirusTotal indicates that five or more AV vendors have identified the hash value as malicious, IncMan will us an Enrichment action to automatically query McAfee ePO for the host information and send this information to the appropriate analysts.

Next, using a Containment action, IncMan will automatically tag the host which generated the AV alert with the tag “quarantine” in McAfee ePO. Finally, IncMan will notify the appropriate analysts that the host has been appropriately tagged in IncMan.

 

threat management incman_2

 

The automated workflow of IncMan’s R3 Runbooks means that an incident will have been automatically generated, and these enrichment and containment actions through the Quick Integration Connector with McAfee ePO will have already been committed before an analyst is even aware that an incident has occurred.

Harnessing the power of McAfee ePolicy Orchestrator, along with the additional Security Orchestration, Automation, and Response of DFLab’s IncMan SOAR platform, organizations can elevate their incident response process, leading to faster and more effective incident response and reduced risk across the entire organization.